CVE Remediation Guide & Workflow for Flake-based Nix Systems#

This guide provides a general workflow for identifying, assessing, and remediating CVEs (Common Vulnerabilities and Exposures) in a Nix flake-based infrastructure, leveraging the tools and scripts provided in this repository.

1. Vulnerability Scanning#

  • Run a scan:
  • Both just vulscan and the manual command below scan the closure linked by the ./result symlink, so build the system closure first if it does not already exist: 
    nom build .#nixosConfigurations.<host>.config.system.build.toplevel
  • Use the vulnix tool to scan your system’s Nix store for known vulnerabilities: 
    just vulscan

# or

nix run nixpkgs#vulnix -- -j -w whitelist.toml $(nix-store --query --deriver ./result) > vulnix.json

  • This produces a machine-readable vulnix.json file with all detected CVEs.

  • Generate reports:

  • Use the provided script to generate human-readable reports: 
    python3 ./scripts/vulnix-report-gen.py vulnix.json -f markdown -o vulnerabilities-report.md
python3 ./scripts/vulnix-report-gen.py vulnix.json -f terminal -o vulnerabilities-report.txt --no-color
python3 ./scripts/vulnix-report-gen.py vulnix.json -f json -o vulnerabilities-report.json

2. Review & Prioritize#

  • Executive summary:
  • Review the summary in the generated reports for counts and severity distribution.
  • Detailed findings:
  • Focus on packages with CRITICAL and HIGH CVEs first.
  • Review package names, versions, and associated CVEs.

3. Remediation Workflow#

  1. Update Packages: - Update the affected package(s) in your flake inputs or overlays. - Rebuild the system: 
    nix flake update
./scripts/system-flake-rebuild.sh  # or your preferred rebuild command
  2. Patch or Replace: - If no upstream fix is available, consider patching the package or using an alternative. - Document any temporary mitigations.
  3. Whitelist (if necessary): - If a CVE is a false positive or not applicable, add it to whitelist.toml with justification.

4. Verification#

  • Re-scan:
  • After remediation, re-run the scan and regenerate reports to confirm resolution.
  • CI Integration:
  • These steps are already wired into the .github/workflows/cve.yml workflow (“CVE Scanning and SBOM Generation”), which builds the mokou system closure, runs vulnix with whitelist.toml, extracts critical CVEs (CVSS > 7.0), generates an SBOM via sbomnix, uploads the results as artifacts, and comments on pull requests.
  • Its push and pull_request triggers are currently commented out, so today only workflow_dispatch is active — the workflow runs manually rather than automatically on every change.

5. Documentation & Audit#

  • Track changes:
  • Commit updated reports and remediation notes to version control.
  • Audit trail:
  • Use the markdown and JSON reports as artifacts for compliance and audits.

6. Automation#

  • Use the just tasks and scripts in this repository to automate scanning, reporting, and basic remediation steps. The security group provides:
  • just vulscan — scan ./result with vulnix and write vulnix.json plus critical_cves.json (CVSS > 9).
  • just critical-cves — print a human-readable report of the critical CVEs.
  • just critical-dependence-tree — generate a dependency tree (why-depends) for each critical CVE to aid remediation.
  • just vulstats — analyze CVSSv3 score trends across the history of vulnix.json.
  • just sbom <host> — generate an SBOM for the given system configuration via sbomnix.
  • See justfile and modules/flake/programs/shell.nix for available commands and shells.

References#